M365: Crate to facilitate compromised account investigation
in progress
Tim Fournet
Pulling logs from O365, identifying and rectifying malicious mail flow rules. Grabbing forensic data from cloud & end-user devices
Log In
Derrick Bennett
would love for this to work natively with Huntress integrations as well...
A
Adam Willford
in progress
MVP is being scoped and planned for this automation.
A
Adam Willford
Merged in a post:
M365 - Email Compromise Response
Jamie Moore
Reset of Password
End all Sessions
Block Sign In
Pull report on Sign In Activities
Complete a Mail Recall
Pull a mailflow report to see what recipients were emailed during a specific timeframe
send out email to those recipients to ignore / delete mail that was sent
remove a ll mail rules that forward to an external domain
Logan Cook
HAWK tool could be used for this: https://cloudforensicator.com/documentation
CIPP does something similar, but I would love to be able to associate the investigation and results to a ticket in PSA.
Example:
PoC reports potential incident > Tech runs flow from pod (or form) > HAWK tool gathers all related info and dumps into internal notes for tech review.
Might even be possible to include some conditions that are especially indicative of compromise and drop a "Remediate Now" webhook link.
Brent Kenreich
Especially Azure AD logons